Method and program product for reducing database walk frequency while repetitively accessing a firewall connection and rule database

ABSTRACT

A database operable in a multithreaded environment has a database update code. Each thread accessing the database obtains lock prior to walking the database. Any thread that alters database structure, such as by adding or deleting a record of the database, writes the database update code. Before releasing lock, the thread copies the database update code and a current record pointer into memory locations private to the thread. When a thread requires a second access to a record of the database, it obtains lock. The thread then compares its copy of the update code to the database update code, if they are different the thread must re-walk the database to locate the record since database structure has changed since the thread first accessed the database. If the thread&#39;s copy of the update code matches the database update code, database structure has not changed since a prior access of the thread to the database; in this case the record may be accessed through the thread&#39;s copy of the record pointer with no walk required. In a particular embodiment, the database is accessed through a hash table and contains firewall connection and filter rule information.

RELATED APPLICATIONS

[0001] The present application is related to the material of copending,cofiled, U.S. patent application Ser. No. ______ attorny docket number200312201-1, entitled “System for Controlling Client-Server ConnectionRequests Using Default Rules” the disclosure of which is herebyincorporated herein by reference.

FIELD

[0002] The present application relates to the field of database lockingand walking in multithreaded systems.

BACKGROUND

[0003] A database having thousands of entries often has complexstructure. Hash table and tree structures (including B-trees) are commonin the database art.

[0004] Navigating a database to find a particular database record isknown to be a potentially time consuming process, typically requiringfollowing multiple pointers and, in the case of a hash table structure,computing hash functions. Hash table structures also require searchingfor an exact match or empty location after indexing into a hash table.Hash table datastructures constructed with dynamically allocated memorymay require following a considerable number of pointers to locate arecord in the database. Following database structure to locate aparticular record of a database is known herein as “walking” thedatabase.

[0005] Adding a record to a database typically requires finding a parentor previous record in the database, allocating a new memory data record,then manipulating pointers to add the new record to the database.Similarly, deleting a record from a database requires knowledge of thelocation of the parent or previous record in the database, as well asthe current record.

[0006] Many modern operating systems, including recent versions ofMicrosoft Windows, are multithreaded operating systems. These systemspermit programs to be divided into multiple threads, each threadcontaining executable code and data that can be invoked independently ofother threads by multitasking management code of the operating system.Typically, the operating system assigns a processor to execute a threadfor a period of time, then interrupts execution of the thread and allowsanother thread to execute. Typically, code of a thread can share datawith other threads of the program. These systems also permit part or allof the executable code to be common code, executed independently onseparate data.

[0007] Multithreaded operating systems may also execute on multipleprocessors of a system. Threads may be assigned by the operating systemto different processors for execution, therefore several threads may beexecuted simultaneously by the system, with each processor timesharedamong yet more threads.

[0008] A firewall system requires a database of rules for filteringnetwork communication packets as they are relayed through multiplenetwork interfaces of the system. Packets are often associated withconnections; it is known that threads may be associated with packetsassociated with particular connections through the firewall. A firewallstructured in this way may have hundreds or thousands of threads each ofwhich may receive execution resources at any time.

[0009] In a multithreaded environment, it is typically necessary toensure that database structures are not changed by a first thread whilea second thread modifies database structure, as happens when the secondthread adds new records to, or deletes existing records from, thedatabase. Simultaneous access by the first and second threads todatabase structure may cause database link corruption, leading tothreads following an invalid link, resulting in access to randomlocations or uninitialized memory contents; a memory out-of-bounds errormay also occur. A database-lock mechanism is typically used to preventthe first thread from accessing database structure while the secondthread alters database structure. Once the second thread is donealtering database structure, the first thread is permitted to access thedatabase.

[0010] Database lock mechanisms may be exclusive, where exclusive accessis obtained by a thread for reading or writing to database structure.Database lock mechanisms are also known that are nonexclusive for read,but exclusive for write, where lock for read prevents grant of lock forwrite.

[0011] A firewall connection and filter rule information database canrequire multiple accesses by a thread to the same record of thedatabase; these accesses can be separated in time. A connection andfilter rule information database can serve as a limit table as describedin copending, cofiled, U.S. patent application Ser. No. ______ <HPdocket number 2201/2250>, entitled “System for Controlling Client-ServerConnection Requests Using Default Rules”. For example, it can bedesirable to keep a count of connections through the firewall betweenparticular upper level protocol (ULP) ports at particular InternetProtocol (IP) addresses in a connection database record. The ULP may beTransmission Control Protocol (TCP), User Datagram Protocol UDP, or asimilar protocol. The ULP may involve layered protocols, such as SimpleMail Transfer Protocol (SMTP) which typically operates over port 25 ofTCP. A connection database record used for counting currentSMTP-over-TCP connections between particular IP addresses is accessed atleast on initiation and completion of each SMTP-over-TCP connection.

[0012] Since walking a database can take considerable time, it isdesirable to minimize the number of times per connection at which thedatabase must be walked.

SUMMARY

[0013] A database operable in a multithreaded environment and accessedthrough a hash table has a database update code. A lock mechanism isprovided such that a thread may obtain access to the database whileensuring that no other thread is concurrently writing databasestructure.

[0014] Each thread accessing the database obtains lock prior to walkingthe database. Any thread that alters database structure, such as byadding or deleting a record of the database, writes the database updatecode. Before releasing lock, the thread copies the update code andcurrent record pointer into memory locations private to the thread.

[0015] When a thread requires a second access to a record of thedatabase, it obtains lock. The thread then compares its copy of theupdate code to the database update code, if they are different thethread must re-walk the database to locate the record since databasestructure has changed since the thread first accessed the database. Ifthe thread's copy of the update code matches the database update code,database structure has not changed since a prior access of the thread tothe database; in this case the record may be accessed through thethread's copy of the record pointer with no walk required.

[0016] In a particular embodiment, the database is accessed through ahash table and contains firewall connection and filter rule information.

BRIEF DESCRIPTION OF THE DRAWINGS

[0017]FIG. 1 is an exemplary block diagram of a database, such as afirewall connection and rule database, accessed through a hash-table.

[0018]FIG. 2 is an exemplary flowchart of actions taken by the firewallsystem to access the connection and rule database when a connectionthread is initialized.

[0019]FIG. 3 is an exemplary flowchart of actions taken by the firewallsystem when a connection thread must access the connection and ruledatabase for a second time.

[0020]FIG. 3A is an exemplary flowchart of actions taken by analternative embodiment of the firewall system to access the connectionand rule database when a connection thread is initialized.

[0021]FIG. 4 is an exemplary block diagram of an apparatus for accessinga database.

DETAILED DESCRIPTION OF THE EMBODIMENTS

[0022] A firewall system contains a database of connection and filterrule information. This database 100, illustrated in FIG. 1, has adatabase header 102 containing a lock flag 104, storage for an updatecode 106, a pointer 108 to a hash bucket table 110, a hash table mask112.

[0023] The firewall system constructs a thread for each connectionthrough the firewall as illustrated in the flowchart of FIG. 2. Aconnection thread is created 202 when a SYN packet, requesting setup ofa TCP connection, is received by the firewall. The SYN packetinformation is stored in memory local to the thread, and is used todetermine whether the SYN packet should be forwarded or blocked.

[0024] When a thread, including a newly created connection thread 202,requires access to the database 100, it tests the lock flag 104 toensure that no other thread is accessing database structure. If the lockflag 104 is already set, the thread in one embodiment waits and rechecksthe lock flag 104 later, rechecking the lock flag 104 is known as aspinlock. In another embodiment the thread is linked to a lock requestqueue 114 associated with the database. Whenever an existing lock isreleased one thread pending on lock request queue 114 is reactivated andgranted lock. If the lock flag 104 was clear, the lock flag 104 is setand execution of the thread continues. The lock obtained 203 istherefore exclusive for reading or writing database structure. In analternative embodiment, a nonexclusive read-lock is implemented with anexclusive write-lock.

[0025] The thread then determines 204 a hash index based upon a searchkey. In the firewall system, when locating connection records the searchkey includes a source IP address, a destination IP address, and adestination port number, associated with the connection. When locatingrules, the search key may include part or all of the source IP address,destination IP address, and destination port number. The hash index isused to locate an associated bucket pointer 120 in hash bucket table110.

[0026] If 206 the bucket pointer 120 is null, such as null pointer 122,an associated connection record similar to record 124 is created,initialized, and added 208 to the database; addition of records 124 tothe database constitutes altering database structure.

[0027] If the bucket pointer 120 is not null, the pointer points to alinked list of connection records 124, where each record contains aforward link 126 and key information 128. In the firewall, the keyinformation 128 includes source and destination IP addresses and adestination port number. The thread walks 210 the list, followingforward links 126 until a record, such as record 130, is found where thekey information 128 of the record matches a search key. If 212 nomatching key is found in the database, as indicated by a key mismatchand a null forward link 126, a new record is created, initialized, andadded 208 to the database.

[0028] If 212 a matching key is found in the database, any filter rulesfound in a connection and filter data 132 portion of the record areapplied 214 to the attempted new connection. An attempted new connectionmay be allowed or rejected according to the filter rules. In aparticular embodiment of a firewall, connection and filter data 132includes a connection count field that may hold a count of connectionsthrough the firewall from a specific source IP address to a specificdestination IP address and destination ULP number. In this embodiment,connection and filter data 132 may also include rule incorporating amaximum connection count for connections from the specific source IPaddress to the specific destination IP address and destination ULPnumber.

[0029] Whenever a new record is added 208 to the database, or otherchanges to database structure are made, the database update code 106 ischanged. In the copending, cofiled, application the database update code106 is known as a unique identifier (UID).

[0030] Whether a new record was added to the database, or an existingrecord found, the database update code 106 is copied 216 to an updatecode copy 140 in a memory area, which may be thread-specific memory area142. A pointer to the record is also copied into a record pointer 144 inmemory, which may be thread-specific memory 142.

[0031] Lock is then released 218, allowing other threads to access, andpossibly modify, the database.

[0032] When a thread must access the same record of the database again,such as when the firewall system receives a further packet associatedwith a connection, a connection disconnect command packet is received,or when a connection times out and is dropped, the thread has twooptions. It may re-walk the database structure to locate the record in amanner similar to that heretofore discussed with reference to FIGS. 1and 2. Alternatively, if the memory areas, such as thread-specificmemory 142, are readily accessible, the thread follows an abbreviatedaccess procedure illustrated in the exemplary flowchart of FIG. 3.

[0033] When following the abbreviated access procedure of FIG. 3, thethread obtains database lock 304. Lock is obtained as heretoforedescribed with reference to lock flag 104 and lock queue 114.

[0034] The database update code 106 is compared 306 to the thread's copyof the update code 140 to determine if the database structure haschanged since the associated database record was last found andreferenced by the thread. If 306 the database update code 106 matchesthe thread's copy of the update code 140, the thread is permitted toaccess 308 the database record using the saved thread record pointer144. If accessing 308 the record involves deleting the record, as mayoccur when a connection is dropped, or other changes to databasestructure, the database update code 106 is changed. If accessing 308 therecord involves changes to data stored within the record, such as aconnection count, without change to database structure the databaseupdate code 106 is not changed.

[0035] If 306 the database update code 106 does not match the thread'scopy of the update code 140, the database structure has likely changedsince any prior access to the database record thread. In this event, thehash index is used to locate an associated bucket pointer 120 in hashbucket table 110.

[0036] If 310 the bucket pointer 120 is null, such as null pointer 122,no connection record exists in the database, which may be an errorcondition 312.

[0037] If the bucket pointer 120 is not null, the pointer points to alinked list of connection records 124, where each record contains aforward link 126 and key information 128. The thread walks 314 the list,following forward links 126 until a record, such as record 130, is foundwhere the key information 128 of the record matches the search key. If316 no matching key is found in the database, as indicated by a keymismatch and a null forward link 126, an error 312 may have occurred.Since error 312 should never occur, an alternative embodiment does notcheck for these error conditions.

[0038] If 316 a record, such as record 130, having a matching key isfound in the database, a pointer to the record 130 is saved in thethread record pointer 144 and the thread is permitted to access 308 therecord.

[0039] Accessing 308 the record may involve addition of a record to thedatabase, or otherwise altering database structure. If databasestructure is altered, the database update code 106 is updated.

[0040] When access 308 to the record completes, the database lock isreleased 320.

[0041] In an embodiment, update code 106 is a counter incremented eachtime the update code is changed. In an alternative embodiment, updatecode 106 is written with a value determined from the search key used tolocate the record being added to, or deleted from, the database at thetime database structure is changed.

[0042] In an embodiment used as a network firewall, the databasecontains connection state information associated with the TCP and UDPprotocols for each TCP and UDP connection. In an alternative embodiment,connection state information associated with the TCP and UDP protocolsfor each TCP and UDP connection is stored in a separate state tabledatabase. In this alternative embodiment the separate state tabledatabase is also accessed through a hash function comprising a hashfunction of the internet protocol source address, internet protocoldestination address, and upper level protocol port number associatedwith each packet.

[0043] An alternative embodiment of the firewall system constructs athread for each connection through the firewall as illustrated in theflowchart of FIG. 3A. In this embodiment, a connection thread is created332 when a SYN packet, requesting setup of a TCP connection, is receivedby the firewall. The SYN packet information is stored in memory local tothe thread, and is used to determine whether the SYN packet should beforwarded or blocked by the firewall.

[0044] When a thread, including a newly created connection thread,requires access to the database 100, it obtains lock 333 as previouslydiscussed with reference to the lock flag 104 to ensure that no otherthread is accessing database structure.

[0045] The thread then determines 334 a hash index based upon a searchkey. In the firewall system, the search key includes a source IPaddress, a destination IP address, and a destination port number,associated with the desired connection. The hash index is used to locatean associated bucket pointer 120 in hash bucket table 110.

[0046] If 336 the bucket pointer 120 is null, such as null pointer 122,the database update code 106 is saved, at step 338, in an update codecopy 140 local to the thread, and information required to add a recordto the database, such as a pointer to the null hash bucket entry, isalso saved in a addition location pointer 146 local to the thread. Theinformation required to add a record to the database includesinformation regarding where a new record should be linked into existingdatabase structure

[0047] If the bucket pointer 120 is not null, the pointer points to alinked list of connection records 124, where each record contains aforward link 126 and key information 128. In the firewall, keyinformation 128 includes source and destination IP addresses and adestination port number. The thread walks 340 the list, followingforward links 126 until a record, such as record 130, is found where thekey information 128 of the record matches a search key. If 342 nomatching key is found in the database, as indicated by a key mismatchand a null forward link 126, the database update code 106 is saved, atstep 338, in an update code copy 140 local to the thread, andinformation required to add a record to the database, such as a pointerto the last record of the list, is also saved in an addition locationpointer 146 local to the thread.

[0048] In both cases where a record is not found, database lock is thenreleased 344. Firewall rules, which may include rules external todatabase 100 such as rules that block all connections to ranges of portnumbers irrespective of IP addresses and rules that block all incomingconnections to ranges of destination IP addresses, are then applied 346.If connection is allowed, the thread obtains database lock again 350. Ifconnection is rejected, the packet may be dropped or the associatedconnection may be reset.

[0049] The current database update code 106 is compared 352 to thethread's copy of the update code 140 to determine if the databasestructure has changed since the database was walked in those steps ofsteps 334, 336, 348, 340, 342 previously executed by the thread. If 354the database update code 106 does not matche the thread's copy of theupdate code 140, the thread re-walks 356 the database 100 to determinewhere a new connection record, such as connection record 130, should beadded to the database; the addition location may be saved in theaddition location pointer 146. A new database record is then added 358to the database at the location determined by rewalking 356 thedatabase, or, if the database update code 106 matched the thread's copyof the update code 140, the location indicated by the addition locationpointer 146. Since a record has been added to the database, the databaseupdate code 106 is changed.

[0050] The database record is initialized or updated as required 360,and lock is released 362.

[0051] If 342 an existing entry was found in the database 100, thedatabase update code 106 and current record pointer are saved 364 inlocal copies 140, 144. Lock is then released 366, since the thread willbe performing, for a time, functions that do not involve the database.

[0052] Filter rules, if any, found in a connection and filter data 132portion of the record found are applied 368 to the attempted newconnection. Additional rules external to database 100 may also beapplied 368. An attempted new connection may be allowed or rejectedaccording to the filter rules. The filter rules include rules found indatabase 100 that limit the number of connections from specific sourceIP addresses to specific destination IP addresses and port numbers.

[0053] If the new connection is allowed, lock is obtained 370 once more.The record pointer 144 previously saved in thread-specific memory isvalidated by comparing the database update code 106 to the thread copyof the update code 140 and, if a mismatch is found, by re-walking thedatabase to obtain a valid pointer. A connection count in the record isthen updated 360 to indicate that an additional connection isestablished. Lock is then released 362, and execution continues.

[0054] An apparatus for accessing a database is illustrated in FIG. 4.This apparatus includes a processor 402 and a memory system 404, thememory system 404 may include multiple levels of memory including one ormore levels of cache memory, RAM, and may but need not include levels ofdisk memory and EPROM memory. Memory system also includes database 100and computer code 406 for accessing the database. The apparatus of FIG.4 may be part of a firewall system, in which case the memory systemincludes firewall packet relay and filtering code 410 and storage spacefor packet data 412.

[0055] A computer program product is any machine-readable media, such asan EPROM, ROM, RAM, DRAM, disk memory, or tape, having recorded on itcomputer readable code that, when read by and executed on a computer,instructs that computer to perform a particular function or sequence offunctions. The computer readable code of a program product may be partor all of a program, such as a program for accessing a database. Acomputer system, such as illustrated in FIG. 4, having memory, thememory containing computer code 406 for instructing a processor toexecute the heretofore described method is a computer program product.

[0056] While the forgoing has been particularly shown and described withreference to particular embodiments thereof, it will be understood bythose skilled in the art that various other changes in the form anddetails may be made without departing from the spirit and hereof. It isto be understood that various changes may be made in adapting thedescription to different embodiments without departing from the broaderconcepts disclosed herein and comprehended by the claims that follow.

What is claimed is:
 1. A method, operable in a multithreadedenvironment, of accessing a database, wherein for a first access by anexecuting thread to a record of the database matching a search key themethod comprises the steps: obtaining database lock, walking thedatabase to locate a record, copying a database update code into a savedupdate code, copying a pointer to the record into a saved recordpointer, releasing database lock; and wherein, for an access by anexecuting thread to a record that has already been located in thedatabase, the method comprises the steps of: obtaining database lock,comparing the database update code to the saved update code, if thedatabase update code failed to match the saved update code, walking thedatabase to locate the record, if the database update code matched thesaved update code, accessing the database through the saved recordpointer, and releasing database lock; wherein the step of changing thedatabase update code is performed whenever database structure isaltered.
 2. The method of claim 1 wherein the steps of walking thedatabase to locate the record are performed by steps further comprising:generating a hash function from a search key; locating an initial recordpointer by indexing a hash bucket table with the generated hashfunction; and if the initial record pointer is not null, searching for arecord key matching the search key in a list of records located throughthe initial record pointer.
 3. The method of claim 1 wherein thedatabase contains connection and rule information for a firewall system.4. A computer program product comprising machine readable media havingrecorded therein computer readable code for instructing a computer toperform database accesses in a multithreaded environment, wherein thecomputer readable code comprises computer readable code for locating arecord for initial accesses by an executing thread by executing stepscomprising: obtaining database lock, walking the database to locate arecord, copying a database update code into a saved update code inmemory associated with the executing thread, copying a pointer to therecord into a saved record pointer, releasing database lock; and whereinthe computer readable code further comprises computer readable code forlocating a record that has been previously accessed by steps comprising:obtaining database lock, comparing the database update code to the savedupdate code, if the database update code failed to match the savedupdate code, walking the database to locate the record, if the databaseupdate code matched the saved update code, accessing the databasethrough the saved record pointer, and releasing database lock whereinthe step of changing the database update code is performed wheneverdatabase structure is altered.
 5. Apparatus for performing databaseaccesses in a multithreaded environment comprising at least oneprocessor and a memory system having recorded therein a database andcomputer readable code for instructing the processor to perform accessesto the database, wherein the computer readable code comprises computerreadable code for locating a record for initial accesses by an executingthread by executing steps comprising: obtaining database lock, walkingthe database to locate a record, copying a database update code into asaved update code in memory associated with the executing thread,copying a pointer to the record into a saved record pointer, releasingdatabase lock wherein the step of changing the database update code isperformed whenever database structure is altered; and wherein thecomputer readable code further comprises computer readable code forlocating a record where a saved update code copy and saved recordpointer are available by steps comprising: obtaining database lock,comparing the database update code to the saved update code, if thedatabase update code failed to match the saved update code, walking thedatabase to locate the record, if the database update code matched thesaved update code, accessing the database through the saved recordpointer, and releasing database lock wherein the step of changing thedatabase update code is performed whenever database structure isaltered.
 6. The method of claim 5 wherein the database containsconnection and rule information for a firewall system.
 7. The method ofclaim 6, wherein the steps of walking the database to locate a recordfurther comprise generating a hash function of a search key, the searchkey comprising a source internet protocol address, a destinationinternet protocol address, and a destination upper level protocol portnumber.
 8. A method of accessing a connection count database of afirewall system comprises, for an access by a thread processing a SYNpacket, the steps of: preparing a search key from information comprisingpacket source IP, destination IP and ULP port number, obtaining databaselock, walking the database to locate any matching record, copying adatabase update code into a saved update code in memory associated withthe thread, if a record is found, copying a pointer to the record foundinto a saved record pointer, and if no record is found copying a pointerindicating a location in the database to which a new record should belinked into a saved addition location pointer, releasing database lockapplying any filter rules found in the database to the SYN packet todetermine if a new connection is allowed; and if a new connection isallowed and no record was found in the database, the method furthercomprises the steps of: obtaining database lock, comparing the databaseupdate code to the saved update code, if the database update code failedto match the saved update code, walking the database and adding a newrecord to the database, if the database update code matched the savedupdate code, accessing the database through the addition pointer to adda new record to the database, initializing the new record, updating thedatabase update code, and releasing database lock.
 9. The method ofclaim 8 wherein the steps of walking the database to locate the furthercomprise: generating a hash function from a search key comprising asource IP address, a destination IP address, and a destination portnumber; locating an initial record pointer by indexing a hash buckettable with the generated hash function; and if the initial recordpointer is not null, searching for a record key matching the search keyin a list of records located through the initial record pointer.
 10. Themethod of claim 8 wherein if an existing record is found in the databaseand a connection is allowed, further comprising incrementing aconnection count in the record.
 11. The method of claim 10 wherein thedatabase further comprises IP address and port specific rules forrestricting connections through the firewall.